Security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained a massive amount of records. The total size of the dataset was 601.84 GB and the total number of documents were over 1,16B.
Upon further research there were multiple references throughout the database indicating that the data belonged to the California-based online retailer, Vevor.
According to Crunchbase they are registered in the US, but based on publicly available details on their website (for e.g. privacy policy), it appears to be a China-based company.
The database was misconfigured and left open and publicly accessible in any browser and anyone could edit, download, or even delete data without administrative credentials. As legitimate security researchers we never edit, delete, or modify data that we discover and only take a limited number of samples for research purposes.
The data was marked as “production” and contained what appears to be various types of PII and sensitive data relating to their online operations including customer information such as first and last name, partial credit card numbers, transaction IDs, order and refund information, and much more. The payment and checkout records including names, emails, home addresses, currency, and more were exposed in both plain text and hashed.
